Questions Board Members Should Ask to Measure Third-Party Risk Management Effectiveness

With global rising costs and supply chain disruptions, organizations increasingly rely on third-party products and services. Outsourcing to third parties can bring many benefits, as third-party relationships can drive better financial results, innovation, and business resilience; however, if a third-party relationship fails, it may have devastating consequences for your organization. 

To help prevent increased exposure to third-party risk, and to remain aware of whether a third party is struggling and on the verge of failing, third-party risk management (TPRM) is crucial. Unfortunately, TRPM programs are often undervalued despite the significant value they can bring to an organization. For TPRM to succeed in protecting your organization, board involvement and support are essential.  

6 Reasons Why the Board of Directors Should Support Third-Party Risk Management

To effectively govern the organization, the board of directors must be aware of the risks of doing business with third parties. The board is responsible for implementing adequate third-party risk controls throughout the organization. The following are important reasons why they need to support third-party risk management:

1. It’s a regulatory expectation: Regulatory authorities expect board members to lead their organizations safely and soundly, as board members and senior managers are ultimately responsible for third-party relationships and managing the risks. Regulatory expectations, like the Interagency Guidance on Third-Party Relationships: Risk Management, state:
    
   “A banking organization's board of directors has ultimate responsibility for providing oversight for third-party risk management and holding management accountable.”
   
   This includes providing clear guidance on an organization’s risk appetite and TPRM policies, procedures, and practices. 
   

   Tips to develop the overall TPRM strategy and policy

   The following are helpful to keep in mind as you create the TPRM strategy and policy: 

   • The board should review and approve the mission and purpose of the TPRM program.
   • The board should also be aware of the organization’s critical third parties.
   • The minutes of board meetings should document board input, review, and approval of the TPRM strategy and policy, as well as:
     
     • The criteria for categorizing critical activities
     • The approved plan for managing the vendor lifecycle
     • A summary of the results of due diligence and ongoing monitoring of third parties
     • Proof of oversight of management efforts to monitor performance, material issues, or changing risks identified through an internal or external audit
2. Enforcements are increasing: Board members must recognize that as legislation is implemented more widely, both enforcement policies and cross-border cooperation efforts substantially increase the likelihood of an infraction being prosecuted. The SEC filed 760 total enforcement actions in 2022, with an average of over $6.4 billion in sanctions. In addition, the Department of Health and Human Services has also imposed steep regulatory fines in response to third-party data breaches.
3. Integrated TPRM and real-time mitigation are needed: Organizations are finding that a siloed approach to TPRM is ineffective and costly. There’s an increasing need for organizations to identify and mitigate risks in real-time or near real-time across their supply chains. Board members should look to become more proactive and responsive instead of relying on historic, reactive approaches to risk identification and response. For example, TPRM software can help your organization respond to risks more quickly and get forward-looking indications of risk rather than relying on historical data.
4. Global legislation compliance requirements could be costly: As third, fourth, and even fifth parties are spread across the globe, organizations are responsible for complying with global legislation. There can be steep fines for violating regulations like the EU’s General Data Protection Regulation, which damages your organization’s reputation and finances. Board members should also be aware of the geopolitical risks with foreign third parties. Monitoring third-party risks to comply with regulations becomes increasingly important as organizations expand internationally. Board members should identify the global risks third parties pose to their organization and evaluate their policies and procedures to address the risks.
5. There is increased risk put on senior leaders and management due to ineffective TPRM: Ineffective TPRM exposes board members and senior leaders to personal risk. Board members must understand that employees, including senior management, may be held liable for corruption perpetrated by third parties under the U.S. Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, Sapin II in France, and similar legislation in other jurisdictions. 
6. ESG risks continue to evolve: ESG risks are a complex set of social, environmental, and governance variables that can affect an organization’s financial position, operating performance, and reputation. Examples of ESG are:
   
   • Environmental: climate change and carbon emissions, pollution, and waste management
   • Social: community relations, human rights, and labor standards
   • Governance: bribery and corruption, executive compensation, lobbying, and political contributions

Several EU member states and countries across the globe have laws to protect human rights and the environment. Domestically, the SEC is taking note of ESG and has proposed regulations in the works. Most ESG laws require third-party risk assessments. ESG risk management should be integrated into your organization's TPRM program to comply with international law and help raise ethical standards. As ESG continues to evolve, board members should work with senior management to adjust their TPRM policies, procedures, and practices to align with the organization’s ESG goals and meet regulatory requirements. If the board has made ESG commitments, they’ll need to ensure that it’s followed through in the TPRM program.

How Board Members Can Measure the Effectiveness of TPRM 

Boards of directors can no longer take a passive stance on third-party risk management. They’re responsible for setting a clear tone-from-the-top that TPRM is a priority for the organization. 

As board members work to better define the scope, structure, and effectiveness of the TPRM program, here are key questions to ask:

1. Who is responsible for overseeing third-party risk on the board and its committees? What is the management's responsibility?
2. What subject matter expertise does the board have for advising management on third-party risk and opportunity?
3. What are the key risks posed by third parties to the organization? Are there any key risks associated with more extended suppliers, such as fourth, fifth, and sixth parties?
4. Are siloed processes hindering the company's approach to TPRM, and what can be done to integrate the approach to TPRM?
5. How could the company improve its approach to TPRM and integrate it throughout the organization? What investments should it consider?
6. Is the organization using effective tools for measuring and managing TPRM? What is the process for escalating third-party risks? Do mitigation responses result from escalation, and how effective are mitigation responses?
7. What information does the board receive from management regarding third-party risk? What is the quality, frequency, and relevance of the information provided?
8. In what ways does management's information contribute to an informed TPRM strategy, and how could it be improved?

Boards play a crucial role in designing and implementing effective TPRM programs. The success of the program depends on the tone at the top. Creating and sustaining TPRM program compliance across the organization requires board support in the early phases of the program and over the long term.